Maintaining and managing a PKI

 

Starting with Windows Server 2003, Microsoft introduced CA role-based administration, which limits the PKI tasks a domain administrator account can perform. By default, administrators can perform all tasks on a CA server. However, after roles have been assigned, administrators can perform only tasks related to their assigned roles.

Whether you use role-based administration or not, four key roles must be filled to administer a CA and its components:
CA Administrator—Configures and maintains CA servers. This role can assign all other CA roles and renew the CA certificate. To assign this role, give the selected user the Manage CA permission in the Security tab of the CA server’s Properties dialog box.
Certificate Manager—Approves requests for certificate enrollment and revocation. To assign this role, give the selected user the Issue and Manage Certificates permission in the Security tab of the CA server’s Properties dialog box.
Backup Operator—Not so much a CA role as an OS right. Members of the local Backup Operators group or a user who has been assigned the Backup files and directories and Restore files and directories rights can perform this role.
Auditor—Manages auditing logs. Assigning the Manage auditing and security log right confers this role on a user.

CA backup and restore

Regular backup of all servers in a network is mandatory. When a full backup or system state backup is performed on a CA server, the certificate store is backed up along with other data. You might also want to back up the certificate database on each CA separately. The Active Directory Certificate Services snap-in in Server Manager includes a simple wizard-based backup utility you can use to perform backups with the following options:
Private key and CA certificate—Backs up only the local CA’s certificate and private key.
Certificate database and certificate database log—Backs up the certificates issued by this CA. If your certificate database is large, you can choose to perform incremental backups, which back up only the changes to the database since the last full or incremental backup.

You can also use the Certutil command-line program to back up the CA, and you can automate the process by using the command in a batch file or script and use Windows Task Scheduler to perform periodic backups of the CA database.
Like backup, CA restores can be performed with the Active Directory Certificate Services snapin or the Certutil program. Before you can restore the CA database, however, the CA service must be stopped. When you start the CA Restore Wizard, you’re prompted to stop the service.

Key and Certificate Archival and Recovery

Data Recovery Agents should be used only when there’s no hope of the document owner regaining access to the files. By using key archival, private keys can be locked away and then restored if the user’s private key is lost. Private keys can be lost if a user’s profile is lost or corrupted or a smart card holding the private key is lost or damaged.

There are two methods for archiving private keys.

Method 1.

Manual archival requires users to export their keys to a file by using the Certificates snap-in. The file is password-protected, and the password must be entered to import the key. The certificate the private key is related to must allow the private key to be exported. The default setting for private key export depends on the type of certificate template. For example, the default setting on an EFS or User certificate template is to allow exportation. The default setting on a Computer or IPSec template is to not allow exporting the private key.

The procedure for exporting the private key for a certificate is straightforward:

1. Open the Certificates snap-in.

2. Locate the certificate for the key you want to export.

3. Right-click the certificate, point to All Tasks, and click Export.

4. The Certificate Export Wizard walks you through the process.

The Certificate Export Wizard exports the certificate and optionally exports the private key if allowed. You’re prompted to select the format for the certificate export. However, the only format supported for exporting the private key along with the certificate is Personal Information Exchange. If only the certificate is exported, other formats are enabled. You might want to export the certificate without the private key if the certificate is to be used on another computer or OS or for later recovery if the certificate is lost. To import a certificate and/or the private key, in the Certificates snap-in, simply right-click the folder where you want to import the key, point to All Tasks, and click Import.

Method 2.

automatic key archival in the Enterprise and Datacenter editions when manual key archival isn’t adequate. Automatic key archival uses a key recovery agent (KRA), which is a designated user with the right to recover archived keys. A KRA has a lot of power, so the user should be chosen carefully. The designated user must enroll for a
Key Recovery Certificate after the Key Recovery Agent template has been configured to allow the designated user to enroll. The Key Recovery Agent certificate is then added to the Recovery Agent tab of the CA server’s Properties dialog box.

After a KRA is assigned, the key for each certificate issued from a certificate template with key export enabled is archived automatically. Multiple KRAs can be assigned to a certificate by entering a value in the Number of recovery agents to use text box. This number should usually be the same as the number of certificates you add to the Key recovery agent certificates list box that allow all installed KRAs to recover keys.

The number of recovery agents can’t be more than the number of certificates installed. If you specify a number lower than the number of certificates installed, the certificates are selected round-robin for each key archival procedure. In this case, you have to determine which recovery agents can recover an archived key.

kra

For example, if two recovery agents are specified and four KRA certificates are installed, two certificates are chosen for each key archival process. Either of the two KRAs can decrypt the key for recovery.

The recovery of a key that has been archived automatically typically follows these steps:

1. The user who has lost his or her private key contacts the Certificate Manager (role holder) to request key recovery.

2. The Certificate Manager locates the key in the CA database.

3. The Certificate Manager inspects the encrypted key’s properties to determine which KRAs can recover the key.

The Certificate Manager can copy the key from the CA database but can’t decrypt the key unless he or she is also a designated KRA.

4. The key is sent to a KRA for decryption.

5. The KRA decrypts the key and sends it to the user in a password-protected file.

6. The user imports the key, using the password supplied by the KRA.

Cmdlet Description
Add-CACrlDistributionPoint Adds a CR distribution point path indicating
Add-CATemplate Adds a certificate template to the CA
Backup-CARoleService Backs up the CA database and all private key data
Get-CACrlDistributionPoint Gets all the locations set on the CRL
Get-CATemplate Gets the list of the Templates the CA can use to issue certificates
Remove-CACrlDistributionPoint Removes the CRL distribution point
Remove-CATemplate Removes the template the CA can use to issue certificate
Restore-CARoleService  Restores the CA database and private key information.
install-ADCScertificationAuthority  Confiugres the certification authority role service
Install-AdcsNetworkDeviceEnrollmentService configuration of the Network Device Enrollment Service (NDES) role service.
Install-AdcsOnlineResponder Installs Online Responder service
Install-AdcsWebEnrollment

Installs Certification Authority Web Enrollment role service

 

Uninstall, Migrate the CA

When you remove a CA from domain, read and follow below article: https://support.microsoft.com/en-au/help/889250/how-to-decommission-a-windows-enterprise-certification-authority-and-r

If you would like to move the CA to another server, export the root cert with private key, backup old CA config, and Registry setting, then uninstall the old CA and reinstall the new CA on the new server, the new server doesn’t need to be same name. Don’t install the new server, and then uninstall the CA on old server, which will cause the enrollment service missing. And you will receive below error when you click the “Certificate templates” in the CA MMC console: ” Template information could not be loaded, Element not found”

Event ID: 44
Date: 
Time: 
User: N/A
Computer: xxxxxxxxx

Description:
The "Windows default" Policy Module "Initialize" method returned an error. Element not found. The returned status code is 0x80070490 (1168).  Certificate Services could not find required Active Directory information.

 

When the CA is uninstalled, only the pKIEnrollmentService object is removed. This prevents clients from trying to enroll against the decommissioned CA.

The only way to fix this is uninstall and reinstall the CA again on the new server.

Migrating CA to new server:

https://techcommunity.microsoft.com/t5/ITOps-Talk-Blog/Step-By-Step-Migrating-The-Active-Directory-Certificate-Service/bc-p/700730#M270%3FWT.mc_id=ITOPSTALK-blog-abartolo

Lab reflection:

Problem: In the Certificate Web enrollment Lab, I miss configured the SSL Settings in  Sites > Default Web Site > CertEnroll node instead of Sites > Default Web Site >CertSrv node. The Web enrollment requires HTTPS but OR does not in our lab.

So in the OR lab, the testing from the client side always say ” connection forbidden”.

Solution:

in the IIS manager, go to the SSL settings in the Sites > Default Web Site > CertEnroll node , uncheck the “Require SSH”. And configure the SSL settings in the Sites > Default Web Site >CertSrv node, check the “require SSH”.

2 years valid period

By default Microsoft CA only allows certificate to be issued with a max validity period of 2 years. They do this as best security practice would be to rotate your encryption keys.

This overrides even if you publish a template that would be valid for over 2 years. When the certificate for that template is issued it will only be for the 2 years.

If this is not an acceptable length of time you can modify the below keys in the registry.

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\CertSvc\Configuration\<CA Service Name>]

“ValidityPeriod”=”Years”
“ValidityPeriodUnits”=dword:00000002

To specify 3 years you would change the ValidityPeriodUnits to 00000003. Then you would want to restart the MSCA service with the below commands:

net stop certsvc
net start certsvc